View Single Post
  #1   (View Single Post)  
Old 8th July 2013
irukandji irukandji is offline
Port Guard
 
Join Date: Jul 2013
Posts: 16
Default Multihome, packets leaving by "wrong" interface

My setup:

Code:
         +--------+                +--------+
         |internet|                |internet|
         +----|---+                +---|----+
              |                        |
              |                        |
    +---------|---------+     +--------|---------+
    |    adj.router     |     |   93.27.123.23   |
    |   (VPN server)    |     |    lan router    |
    |    10.10.10.1     |     |(nat and port fwd)|
    +---------|---------+     |   192.168.1.1    |
              |               +--------+---------+
              |                        |
              |                        |
    +---------|------------------------|----------+
    |         |                        |          |
    |        tun0                     em0         |
    |     10.10.10.77            192.168.1.200    |
    |   (default route)            |       |      |
    |                              |       |      |
    |  +--------------+       +----|---+---|---+  |
    |  | client tools |       |80:HHTPD|21:SSHD|  |
    |  +--------------+       +--------+-------+  |
    |                                             |
    +---------------------------------------------+
I want to keep my srv daemons beeing accessible by static ip (93.27.123.23) while all other communication going out via tun0.

Lan router is having port forwards to daemons on the host. When the openvpn (as client) is running it sets the route for 0.0.0.0 to its gateway and becoase of this (at least i speculate this is the reason), the SYN comes from the internet to em0 but ACK leaves the server via tun0. I believe the pf reply-to should be able to enforce tcp packets leaving on the same interface where the tcp session was established but except from regularly killing my networking i wasnt able to configure it

Can someone please help me, i cant post rules i have written until now as my network is down again and i am on remote location Once i get to the console, i'll also provide netstat -r

Last edited by irukandji; 8th July 2013 at 08:52 AM.
Reply With Quote